cancel
Showing results for 
Search instead for 
Did you mean: 

Test File for MAR Threat Workspace

Jump to solution

Hi All,

Anyone to have a test file (malware maybe or a script) that can trigger a detection in the MAR MAR Threat Workspace?

BR,

G.A.

Labels (3)
Tags (3)
1 Solution

Accepted Solutions
McAfee Employee rgc
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: Test File for MAR Threat Workspace

Jump to solution

There is a very simplest method where you can create a sample file for testing the file as "UNKNOWN". 

Follow these steps to create an unknown file reputation  

1. Install 7.zip as a program. 
2. Create a text file example: RGC.txt 
3. Add some text into it and save it, so it isn't blank. 
4. Right-click on the file, & expand 7.zip & add to the archive. 
5. In the archive section, click the Create SFX archive & hit ok & save it. 
6. Go to the newly created .exe & run it, & extract it. 
7. From Agent Monitor click on Collect & send props & Send events 
8. Check TIE Reputations page to see the file shows as UNKNOWN.


Raghavendra GC
McAfee Technical Support – APAC
Customer Success Group
www.mcafee.com
5 Replies
McAfee Employee rgc
McAfee Employee
Report Inappropriate Content
Message 2 of 6

Re: Test File for MAR Threat Workspace

Jump to solution

There is a very simplest method where you can create a sample file for testing the file as "UNKNOWN". 

Follow these steps to create an unknown file reputation  

1. Install 7.zip as a program. 
2. Create a text file example: RGC.txt 
3. Add some text into it and save it, so it isn't blank. 
4. Right-click on the file, & expand 7.zip & add to the archive. 
5. In the archive section, click the Create SFX archive & hit ok & save it. 
6. Go to the newly created .exe & run it, & extract it. 
7. From Agent Monitor click on Collect & send props & Send events 
8. Check TIE Reputations page to see the file shows as UNKNOWN.


Raghavendra GC
McAfee Technical Support – APAC
Customer Success Group
www.mcafee.com

Re: Test File for MAR Threat Workspace

Jump to solution

Thanks, .

Your suggestions is working.

Re: Test File for MAR Threat Workspace

Jump to solution

I see the file in TIE Reputations, but I don't see it in MAR Workspace.  How long should I expect for the file to show up in MAR?  Or am I missing a configuration somewhere?  I need to ensure MAR is working properly.

 

Thanks!

McAfee Employee rgc
McAfee Employee
Report Inappropriate Content
Message 5 of 6

Re: Test File for MAR Threat Workspace

Jump to solution

Prechecks for MAR workspace to show the data.

 

1) Verify trace plugin is enabled in the policy that is applied to the endpoint.

2) The DXL Cloud Databus URL is pointing to a production environment. We can check this from the EPO, Configuration, Server Settings, DXL Cloud Databus, URL [ https://api1.eu1.soc.mcafee.com/cloudproxy/databus/produce]

3) The trace Broker Extension is activated. We can check from the EPO, Configuration, Server Settings, DXL Topology, Broker extension. It must show the "Provides Trace data to the cloud for MAR Workspace" checkbox activated.

4) Ensure client system installed with [MAR client, DXL, ENS TP & ATP] components

5) Select problem system from system tree & verify the DXL LOOKUP is successful [Select System -> Actions -> DXL – Lookup in DXL]

  1. 6) Register a cloud account with your email address & update the details under ePO  à Server settings à McAfee® ePO™ Cloud Bridge à Edit & update the details

 

We need to understand the workflow of the workspace

 

 

       Common Causes with errors from MAR workspace page/Solutions:

From ePO  [Source]

Concerns /Errors

Solutions

Go to MAR Health Status, ensure all the categories are in GREEN

Cloud Storage & services show: Error Fetching Data

Verify the McAfee® ePO™ Cloud Bridge extensions are installed & up to date. [These extensions shows under ePolicy orchestrator category]
If the extensions are updated, check the server settings\McAfee® ePO™ Cloud Bridge is configured the account

 

Cloud Storage & services show:Unreachable

From workspace page, Click on configuration, Move cursor to the name as "cloud account" you will see the pencil mark for EDIT --> click Proceed to Select the location to store the data.
NOTE: There are 3 locations, changing location will not fetch data from the previous location.

 

Cloud Storage & services show:Unreachable



Follow the articles the KB89062 & KB89236.

Ensure 3 URL's is accessible from ePO
https://provision.manage.mcafee.com/provision/ 
https://api.tm-data.intelsecurity.com/ 
https://validatetoken.manage.mcafee.com/ 



 




Raghavendra GC
McAfee Technical Support – APAC
Customer Success Group
www.mcafee.com
Highlighted
McAfee Employee rgc
McAfee Employee
Report Inappropriate Content
Message 6 of 6

Re: Test File for MAR Threat Workspace

Jump to solution

Adding to above inputs...............

The workflow of MAR client handles the file as below.

 

When a file executed on a system, & it is not categorized by any of the McAfee products, this file reputation score is “50”  [UNKNOWN].

Only the file is with unknown categorized will be sent to MAR CLOUD. Moreover, we should check the TRACE plugin for this client is enabled MAR policy

 

The client machine should be installed MAR, MA, DXL, ENS ATP & TP, this file consider as unknown.

Troubleshooting the trace information is captured by MAR client & sent to DXL:

 

The first step of troubleshooting before re-produce the issue, enable the debug logging for MAR client from MAR policy in ePO.

 

Policy Catalog ==> Select Active Response 2.x Product ==> Duplicate the policy assigned to system /Group ==> Edit the duplicated policy & click on General TAB uncheck the option “Enable data folder protection”  Click on Logger TAB ==> Change the Level “Info – Debug” save & apply this policy.

 

To reproduce the issue we need a sample unknown file

 

Follow these steps to create an unknown file reputation

 

1. Install 7.zip as a program.

2. Create a text file example: RGC.txt

3. Add some text into it and save it, so it isn't blank.

4. Right-click on the file, & expand 7.zip & add to the archive.

5. In the archive section, click the Create SFX archive & hit ok & save it.

6. Go to the newly created .exe & run it, & extract it.

7. From Agent Monitor click on Collect & send props & Send events

8. Check TIE Reputations page to see the file shows as UNKNOWN

 

We have totally 3 Locations for the customer's data to store in our MAR cloud storage and those areas below.

 

EU (Frankfurt): https://api1.eu1.soc.mcafee.com/cloudproxy/databus/produce

US East (N. Virginia): https://api1.us2.soc.mcafee.com/cloudproxy/databus/produce

US West (N. California): https://api1.soc.mcafee.com/cloudproxy/databus/produce

To check Workspace location the URL: https://,ePO IP>:8443/remote/propertiesUpdaterCommand.do
type ePO console admin credentials.


Raghavendra GC
McAfee Technical Support – APAC
Customer Success Group
www.mcafee.com
Member Rewards
McAfee Community rewards active and helpful members just like you. Click here to take a look at the first community members who received a special reward and were recognized by McAfee leader, Aneel Jaeel, for their participation and trusted knowledge in the community.